Keyring on external encrypted drive
ndk.clanbo at gmail.com
Thu May 23 21:18:40 CEST 2013
Il 23/05/2013 20:43, Peter Lebbing ha scritto:
>> Really useful, IMVHO. Unless you have to sign *a lot* of things...
> Werner Koch does not agree it's a security feature (and I suppose that's why you
> think it's useful), as he said in this thread:
>  http://lists.gnupg.org/pipermail/gnupg-users/2013-February/046051.html
Similar threads appeared on OpenSC ML too.
That's why I was investigating a "port" of OpenPGPCarf to Yubico token
(that offers a button that can be read by the Java code -- too bad it
requires a library available from NXP only under strict NDA :(
A less robust (against invasive attacks) option could be the GNUK token.
>> In any case it is not a security measure because the host may simply
>> cache the PIN and and silently do a verify command before each sign
>> operation. To avoid that simple workaround, a pinpad reader which
>> filters the VERIFY command would be needed.
The host may cache it only if it ever sees it :)
There exists cards with button and display: having an OOB bidirectional
channel can give much more security...
Another option could be a HOTP code instead of a static PIN (maybe I'll
include this in MyPGPid :) ).
More information about the Gnupg-users